LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Scan behind Router With nMap? (https://www.linuxquestions.org/questions/linux-security-4/scan-behind-router-with-nmap-283193/)

arpanet1969 01-28-2005 03:47 AM
Scan behind Router With nMap?
 
Hi,

I recently had a system comprimise. This kinda baffled me because my logs definately show typical nMap scanning techniques, but all the computers on the network (192.168.0.2, 192.168.0.3 and so on...) are behind a router on 192.168.0.1 (which uses an external IP address to communicate with the internet). I tried to scan myself (using the external IP address), only to find my scan results returned my router with ONLY port 5190/tcp (aol) open.

-Is it possible to use nMap to scan behind a router??
-Is there another method (such as traceroute) which is used to locate 'network computers' (ones connecting to the internet via a router)?
-Am I right in assuming that when on the internet, for example on the computer 192.168.0.5, this has a new IP address assigned to it even though it's going through a router which uses an external IP address?
-How are computers identified on the internet, when using the same external IP address on the router?

Please, please help me with the above questions.

Any help would be much appreciated.

Thanks

Arpanet
[a not-so-good sysadmin :confused:]

TheIrish 01-28-2005 05:38 AM
Ok, let's take it from the beginning.
theorically, when a LAN uses internet services behind a NAT, it works with the same external IP address (or address, with nat pools, but it's not your case). It is the router's job to translate addresses and no one would ever know if it's a siingle workstation or an entire LAN.
If you add a static NAT translation you allow a person to contact a PC in your LAN from the outside but, again, it shouldn't be your case.
But this is theory. There are malicious techniques to force not-so-well-configured or not-so-great-quality routers to give out informations reguarding the LAN. Moreover, there are malicious techniques to contact LAN members directly.
The main dubt in this case is that your firewall seems to be blocking almost everything except one port. AOL can be an entrance point, but, man... these guy must be very angry. If I were you, I'd first try to search the problem elsewhere, like unknown mail messages etc.
Reguarding NMAP... as I always say, NAT doesn't mean security. NMAPping a router with NO firewall can end up with different responses, depending on the router. Does your router have a firewall?
For istance, there are vendors (their name will no be told) whose routers... if they don't have NAT infos, nor firewall rules, they just forward to all the cilents!!
That's mad


All times are GMT -5. The time now is 09:55 AM.